[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Tero" == Tero Kivinen <kivinen@ssh.fi> writes:
>> When a security Gateway is operating on behalf of multiple contexts
>> (e.g. multiple subscribers, or multiple ppvpn-style overlay addressing
>> contexts), it is essential that the initiator be able to convey to the
>> responder which context is being addressed.
Tero> Do not use IP addresses as a IKE SA identities then. Use the dns
Tero> names or email addresses or something else. There is no need to use
Tero> ip addresses in those cases (or actually using ip addresses would
Tero> be quite bad, as it is not unique...).
I concur.
Particularly for IKEv2, the #1 reason to use IP addresses as IDs in IKEv1
was because of limitations of PSK.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBP8uQmIqHRg3pndX9AQHAvgP+MQTjmsd6eV5y5x24EWJsf318xOW1o59v
AH/IC1/XjLMaottIAoEiIqxuZfvZJwCmZrwselIcHMhMy78XGclHHHWhX86mTFmQ
7miPmPe30NCKsWzNGd24qkBZYY02hVXrgr06tpVz+xejFG5ytogjU38iOaQhr2UZ
OicNqlCFEXg=
=XOxB
-----END PGP SIGNATURE-----